AI governance should include the accounts, tokens, and APIs that let systems act, because those access paths are part of the control surface. If the model is governed but its delegated identities are not, the organisation still has unmanaged execution risk. NHI governance belongs inside AI governance, not beside it.
Why This Matters for Security Teams
AI governance breaks down when service account and delegated access are treated as “just infrastructure.” Those identities are the execution layer that lets a model, workflow, or automation actually do something, so they belong inside the governance boundary. The practical risk is not abstract: exposed API keys, cloud tokens, and orchestration credentials are often the fastest route from model access to data exposure or destructive actions, as shown in NHIMG research such as Top 10 NHI Issues and LLMjacking: How Attackers Hijack AI Using Compromised NHIs. Current guidance from NIST AI Risk Management Framework and the OWASP Non-Human Identity Top 10 is converging on the same point: governance must cover the identities that act on behalf of systems, not only the model itself. In practice, many security teams discover this only after a delegated token has already been overused, reused, or exposed.
How It Works in Practice
Effective governance starts by mapping every delegated path a system can use: service accounts, API keys, cloud roles, workload identities, OAuth grants, and automation tokens. These are not implementation details. They define what the AI can reach, change, or exfiltrate. The strongest pattern is to treat each delegated access path as a governed NHI with an owner, a purpose, an expiry model, and revocation criteria.
In practice, that means aligning AI approval workflows with identity controls rather than only model review. A platform team may approve a model for customer support, but the security team should also validate the service account that reads customer records, the token that calls the ticketing system, and the role that writes back to the CRM. Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because lifecycle discipline applies to delegated access as much as it does to machine identities. The operational goal is to reduce standing access, prefer just-in-time issuance where possible, and enforce rotation and revocation on a schedule that matches actual usage.
- Classify every service account and delegated token by business purpose.
- Bind each identity to a named owner and a specific AI workload.
- Prefer short-lived credentials and scoped tokens over long-lived static secrets.
- Review tool permissions as part of model change control, not after deployment.
- Log every delegated action so approvals and runtime behaviour can be reconciled.
For policy and control mapping, NIST Cybersecurity Framework 2.0 helps anchor governance, while Ultimate Guide to NHIs — Regulatory and Audit Perspectives shows why audit evidence must include access lineage, not just model documentation. These controls tend to break down in multi-agent environments where one agent can chain tool calls through another agent’s delegated credentials because the effective trust boundary becomes unclear.
Common Variations and Edge Cases
Tighter delegated-access governance often increases operational overhead, requiring organisations to balance lower execution risk against faster deployment and lower support friction. That tradeoff becomes sharper when teams mix human approval flows with autonomous systems, because a token that is acceptable for a human operator may be far too broad for an agent that can act repeatedly without fatigue.
Best practice is evolving for cases where an AI system delegates again to sub-agents or external tools. There is no universal standard for this yet, but current guidance suggests treating each hop as a fresh trust decision rather than assuming the original approval automatically extends downstream. This matters in event-driven pipelines, customer-facing copilots, and orchestration layers that can trigger write operations across multiple systems. The same issue appears in credential sprawl: when teams store secrets in multiple managers or copy tokens into prompts and pipelines, governance weakens quickly. NHIMG research on The State of Secrets in AppSec is relevant because secret fragmentation and slow remediation make delegated access harder to track and revoke.
Governance also needs to distinguish between ordinary application service accounts and AI-controlled delegated identities. If the AI can choose when to call tools, in what order, and with what data, then runtime policy matters more than static role assignment. That is why many teams are moving toward policy-as-code and request-time authorization, but the mature operating model is still emerging. In environments with legacy shared accounts, long-lived batch jobs, or unclear ownership across SaaS and cloud platforms, the control model tends to break down because no one can prove who granted which authority, for what purpose, and for how long.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses weak lifecycle control over service accounts and delegated secrets. |
| OWASP Agentic AI Top 10 | A-05 | Covers agent tool access and delegated execution risk in AI systems. |
| CSA MAESTRO | TRI-3 | Maps directly to trust and identity controls for agentic workflows. |
| NIST AI RMF | Govern function requires accountability for delegated access used by AI systems. | |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management apply directly to delegated AI access. |
Inventory delegated identities, enforce rotation, and revoke access on defined lifecycle triggers.